Incident-Driven Introspection For Data Loss Prevention

ABSTRACT

The technology disclosed teaches incident-driven and user-targeted data loss prevention that includes a CASB controlling exfiltration of sensitive content in documents stored on cloud-based services in use by organization users, by monitoring manipulation of the documents. CASB identifies the cloud-based services that the particular user has access to and at least one document location on the cloud-based services to inspect for sensitive documents, in response to receiving an indication that user credentials have been compromised. The CASB performs deep inspection of documents identified as stored at the location and detects at least some sensitive documents. Based on the detected sensitive documents, the CASB determines data exposure for the organization due to the compromised credentials of the particular user. The disclosed technology also teaches controlling infiltration of contaminating content on cloud-based services in use by users of an organization by monitoring content deposited to the cloud-based services.

INCORPORATIONS

The following materials are incorporated by reference in this filing:

U.S. Non Provisional application Ser. No. 14/198,508, entitled “SECURITY FOR NETWORK DELIVERED SERVICES”, filed on Mar. 5, 2014 (Attorney Docket No. NSKO 1000-3) (now U.S. Pat. No. 9,270,765, issued Feb. 23, 2016),

U.S. Non Provisional application Ser. No. 14/198,499, entitled “SECURITY FOR NETWORK DELIVERED SERVICES”, filed Mar. 5, 2014 (Attorney Docket No. NSKO 1000-2) (now U.S. Pat. No. 9,398,102, issued on Jul. 19, 2016),

U.S. Non Provisional application Ser. No. 14/835,640, entitled “SYSTEMS AND METHODS OF MONITORING AND CONTROLLING ENTERPRISE INFORMATION STORED ON A CLOUD COMPUTING SERVICE (CCS)”, filed on Aug. 25, 2015 (Attorney Docket No. NSKO 1001-2) (now U.S. Pat. No. 9,928,377, issued on Mar. 27, 2018),

U.S. Non Provisional application Ser. No. 15/368,240, entitled “SYSTEMS AND METHODS OF ENFORCING MULTI-PART POLICIES ON DATA-DEFICIENT TRANSACTIONS OF CLOUD COMPUTING SERVICES”, filed on Dec. 2, 2016 (Attorney Docket No. NSKO 1003-2), which claims the benefit of U.S. Provisional Application No. 62/307,305, entitled “SYSTEMS AND METHODS OF ENFORCING MULTI-PART POLICIES ON DATA-DEFICIENT TRANSACTIONS OF CLOUD COMPUTING SERVICES”, filed on Mar. 11, 2016 (Attorney Docket No. NSKO 1003-1),

U.S. Non Provisional application Ser. No. 14/835,632, entitled “SYSTEMS AND METHODS OF PER-DOCUMENT ENCRYPTION OF ENTERPRISE INFORMATION STORED ON A CLOUD COMPUTING SERVICE (CCS)”, filed on Aug. 25, 2015 (Attorney Docket No. NSKO 1002-1) (now U.S. Pat. No. 10,114,966, issued on Oct. 30, 2018), which claims the benefit of U.S. Provisional Application No. 62/135,656, entitled “SYSTEMS AND METHODS OF MONITORING AND CONTROLLING ENTERPRISE INFORMATION STORED ON A CLOUD COMPUTING SERVICE (CCS), filed on Mar. 19, 2015 (Attorney Docket No. NSKO 1001-1),

U.S. Non Provisional application Ser. No. 15/368,246, entitled “MIDDLE WARE SECURITY LAYER FOR CLOUD COMPUTING SERVICES”, filed on Dec. 2, 2016 (Attorney Docket No. NSKO 1003-3), which claims the benefit of U.S. Provisional Application No. 62/307,305, entitled “SYSTEMS AND METHODS OF ENFORCING MULTI-PART POLICIES ON DATA-DEFICIENT TRANSACTIONS OF CLOUD COMPUTING SERVICES”, filed on Mar. 11, 2016 (Attorney Docket No. NSKO 1003-1),

“Cloud Security for Dummies, Netskope Special Edition” by Cheng, Ithal, Narayanaswamy, and Malmskog, John Wiley & Sons, Inc. 2015,

“Netskope Introspection” by Netskope, Inc.,

“Data Loss Prevention and Monitoring in the Cloud” by Netskope, Inc.,

“Cloud Data Loss Prevention Reference Architecture” by Netskope, Inc.,

“The 5 Steps to Cloud Confidence” by Netskope, Inc.,

“The Netskope Active Platform” by Netskope, Inc.

“The Netskope Advantage: Three “Must-Have” Requirements for Cloud Access Security Brokers” by Netskope, Inc.,

“The 15 Critical CASB Use Cases” by Netskope, Inc.

“Netskope Active Cloud DLP” by Netskope, Inc.,

“Repave the Cloud-Data Breach Collision Course” by Netskope, Inc.; and

“Netskope Cloud Confidence Index™” by Netskope, Inc.

which are incorporated by reference for all purposes as if fully set forth herein.

FIELD OF THE TECHNOLOGY DISCLOSED

The technology disclosed relates generally to security for network delivered services, and in particular relates to incident-driven and user-targeted data loss prevention by a cloud access security broker (CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization, by monitoring manipulation of the documents. The disclosed technology additionally relates to data loss prevention by a CASB controlling infiltration of contaminating content on cloud-based services in use by an organization.

BACKGROUND

The subject matter discussed in this section should not be assumed to be prior art merely as a result of its mention in this section. Similarly, a problem mentioned in this section or associated with the subject matter provided as background should not be assumed to have been previously recognized in the prior art. The subject matter in this section merely represents different approaches, which in and of themselves can also correspond to implementations of the claimed technology.

The use of cloud services for corporate functionality is common. According to International Data Corporation, almost half of all information technology (IT) spending will be cloud-based in 2018, “reaching 60% of all IT infrastructure and 60-70% of all software, services and technology spending by 2020.” For example, enterprise companies often utilize software as a service (SaaS) solutions instead of installing servers within the corporate network to deliver services.

Network architecture approaches that log and protect access on a corporate network offer limited control. VPN solutions are often used to control access to the protected corporate network. Proxies, both transparent and explicit, are often used to filter or limit access to undesirable web sites, when the client is accessing the web sites from within the corporate network. Filtering software can also be installed on client computers, e.g. safe browsing software, to enforce limits on access. Additionally, the sprawl of “bring your own devices” (BYODs) motivate the need for additional network-based security protections. A viable security solution provides centrally administered control, enforcing the same protection policy across multiple devices, network services, and networks—including corporate networks.

Data is the lifeblood of many businesses and must be effectively managed and protected to meet compliance requirements. Protecting data in the past was focused primarily for on premise scenarios, but with the increased adoption of cloud services, companies of all sizes are relying on the cloud to create, edit and store data. This presents new challenges as users access cloud services from multiple devices and share data, including with people outside of an organization. It is easy for data to get out of an organization's control.

As the number of cloud services increases exponentially, there are hundreds of ways data can leak. Employees might attach a wrong file while sending e-mails, hit the send button too early, not be careful when rushing to a deadline, or share data and collaborate with people outside of their organization. Native cloud storage sync clients also pose a significant risk to organizations, as a continuous sync takes place between the end point and the cloud service without employees realizing they may be leaking confidential company information. Additionally, cloud services are making it possible for disgruntled workers to steal intellectual property. Also, sharing content from the cloud has never been easier. The challenge is the risk that sensitive data could get into the wrong hands. For example, when logs that contain sensitive data such as customers' personally identifiable information (PII), non-public financials, strategic plans and customer lists are stored in the cloud, the data needs to be protected.

An opportunity arises to determine data exposure for an organization due to compromised credentials of a particular user or set of users. Additionally litigation exposure for an organization due to the access of a new user to infiltrated contaminating content post-joining can be determined.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, like reference characters generally refer to like parts throughout the different views. Also, the drawings are not necessarily to scale, with an emphasis instead generally being placed upon illustrating the principles of the technology disclosed. In the following description, various implementations of the technology disclosed are described with reference to the following drawings.

FIG. 1A illustrates an architectural level schematic of a system for incident-driven and user-targeted data loss prevention.

FIG. 1B shows a block diagram for incident-driven and user-targeted data loss prevention.

FIG. 2 is an exemplary event log entry in a JSON-style representation.

FIG. 3 shows a log that contains user-by-user data and file-by-file data that identify user file sharing behavior.

FIG. 4 and FIG. 5 show example folder structures for two cloud-based apps. FIG. 4 shows folders for an Outlook online application, for drafts, sent items, deleted items, junk email, outbox, RSS subscriptions and search folders. FIG. 5 shows a set of shared folders in cloud-based app Box.

FIG. 6 illustrates a visibility dashboard that provides visibility of enterprise information stored on a cloud computing service.

FIG. 7A, FIG. 7B, FIG. 7C, FIG. 7D and FIG. 7E show aspects of a visibility dashboard usable for displaying data exposure details for an organization due to the compromised credentials of a particular user, based on the detected sensitive documents.

FIG. 7A shows a display of the compromised credentials for incidents for 15 users.

FIG. 7B shows violations and file exposure for a single user.

FIG. 7C shows folders for a user with compromised credentials.

FIG. 7D shows graphs of file exposure, violations by file type including container files, documents, images and folders.

FIG. 7E shows an example set of data reported by Netskope cloud access security broker for a Cisco Spark web interface for a single user.

FIG. 8 shows a representative method of incident-driven and user-targeted data loss prevention.

FIG. 9 shows a representative method for controlling infiltration of contaminating content on cloud-based services in use by users of an organization by monitoring content deposit to the cloud-based services.

FIG. 10 shows a representative method for incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan.

FIG. 11 is a simplified block diagram of a computer system 1100 that can be used to implement incident-driven and user-targeted data loss prevention.

FIG. 12 shows a representative method for request-driven and user-targeted data loss prevention for the right to be forgotten request use case.

DETAILED DESCRIPTION

The following detailed description is made with reference to the figures. Sample implementations are described to illustrate the technology disclosed, not to limit its scope, which is defined by the claims. Those of ordinary skill in the art will recognize a variety of equivalent variations on the description that follows.

Cloud computing ranks as the top risk concern for executives in risk, audit, finance and compliance, according to a survey by Gartner conducted in 2018. As more and more software, services and technology spending moves to cloud computing solutions, the need for data security continues to expand. For example, customers with strict data-privacy controls require that the personally identifiable information (PII) of their users be encrypted before it is stored in the cloud. That is, customers require that data security solutions address privacy concerns of users, including the General Data Protection Regulation (GDPR) on data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA), which also addresses the export of personal data outside the EU and EEA areas. GDPR also codifies the right to be forgotten, in addition to the right to erasure, and regulates erasure obligations. The right to be forgotten has been defined as the right to silence on past events in life that are no longer occurring, and leads to allowing individuals to have information, videos or photographs about themselves deleted from certain internet records so that they cannot be found by search engines. Personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn consent and there is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for the processing, or erasure is required to fulfill a statutory obligation under the EU law.

When data is stored in the cloud, traditional firewalls are not able to effectively control the downloading and uploading of data. Data security depends on users' credentials. An attacker can gain access to a host by exploiting an application or operating system vulnerability, manipulating a user, leveraging stolen credentials, or taking advantage of lax security practices. Usage anomalies, such as an employee downloading, sharing, or uploading data from an app excessively or logins from multiple locations can indicate compromised credentials. In one example, compromised credentials are identified by alerting on new or rare authentication activity. These usage anomalies can indicate out-of-compliance behaviors and even the presence of malware.

Introspection is usable to scan the users for a specific action. Because introspection is very expensive, historical approaches have typically limited scans to the ‘sent items’ folder for an app such as Office 365 due to the concern that sensitive data is leaving the organization. Security administrators at organizations need to have the option of targeting scanning to cloud-based services that particular users have access to and a more complete list of document locations to determine what sensitive data, associated with a particular user, may have been compromised. This approach is useful for software as a service (SaaS) applications, such as Office 365, Box™ storage application and Dropbox™ file hosting application, to look for data that could have been breached due to a particular user's compromised credentials.

The disclosed technology for incident-driven and user-targeted data loss prevention solves the problem of determining data exposure for an organization due to the compromised credential of a particular user at the organization. Trigger events that indicate that credentials of a particular user have been compromised can be a new email coming into a compromised database. In one use case, an administrator identifies a list of users who are under investigation and on a request basis, a disclosed enhanced N-CASB identifies one or more of the cloud-based services that the users have access to and at least one document location on the cloud-based service to inspect for sensitive documents, and performs deep inspection of documents stored at the identified document locations, such as folders in Office 365, Box, Dropbox or Google Docs, for each of the identified users. Users who utilize email addresses that appear in compromised credentials are identified for investigation in one example. The compromised credential is the user's email address in many cases. Based on detected sensitive documents, the N-CASB determines data exposure for the organization due to the compromised credentials of the identified user.

In another use case, after a user has exited an organization, the disclosed N-CASB identifies one or more document locations on at least one of the cloud-based services to which the user continued to have access post-exit, performs deep inspection of documents stored at the identified document locations and detects sensitive documents. Based on the sensitive documents, the N-CASB determines data exposure for the organization due to the continued access of the particular user to the sensitive documents post-exit.

In a third use case, the disclosed N-CASB controls infiltration of contaminating content on cloud-based services in use by users of an organization by monitoring content deposit to the cloud-based services. Contaminating content can include information from a former employer or other competitor organization. The N-CASB identifies the cloud-based services that the particular user has access to and at least one document location on the cloud-based services that the new user gained access to post-joining, to inspect for sensitive documents, and performs deep inspection of content stored at document locations that the new user gained access to post-joining . If contaminating content is detected, the N-CASB determines a litigation exposure for the organization due to the access of the new user. An example system for incident-driven and user-targeted data loss prevention is described next.

FIG. 1A shows an architectural level schematic of a system 100 for incident-driven and user-targeted data loss prevention. Because FIG. 1A is an architectural diagram, certain details are intentionally omitted to improve clarity of the description. The discussion of FIG. 1A will be organized as follows. First, the elements of the figure will be described, followed by their interconnections. Then, the use of the elements in the system will be described in greater detail.

System 100 includes organization network 102, Netskope cloud access security broker (N-CASB) 155, cloud services 108 and public network 145. Organization network 102 includes computers 112 a-n, tablets 122 a-n and cell phones 132 a-n. In another organization network, additional mobile devices may be utilized by organization users. Netskope cloud access security broker (N-CASB) 155 governs access and activities in sanctioned and unsanctioned cloud apps, secures sensitive data and prevents its loss, and protects against internal and external threats. Cloud services 108 includes cloud-based hosting service 118, cloud hosted email services128 and cloud-based storage service 138.

Continuing with the description of FIG. 1A, Netskope cloud access security broker (N-CASB) 155 includes active analyzer 165 and introspective analyzer 175 that identify the users of the system and sets policies for apps. Introspective analyzer 175 interacts directly with cloud-based services 108 for inspecting data at rest. In a polling mode, introspective analyzer 175 calls the cloud-based services using API connectors to crawl data resident in the cloud-based services and check for changes. As an example, Box™ storage application provides an admin API called the Box Content API™ that provides visibility into an organization's accounts for identified users, including audit logs of Box folders, that can be inspected to determine whether any sensitive files were downloaded after a particular date, at which the credentials were compromised. Introspective analyzer 175 polls this API to discover any changes made to any of the accounts. If changes are discovered, the Box Events API™ is polled to discover the detailed data changes. In a callback model, introspective analyzer 175 registers with the cloud-based services via API connectors to be informed of any significant events. For example, introspective analyzer 175 can use Microsoft Office 365 Webhooks API™ to learn when a file has been shared externally. Introspective analyzer 175 also has deep API inspection (DAPII), deep packet inspection (DPI), and log inspection capabilities and includes a DLP engine that applies the different content inspection techniques on files at rest in the cloud-based services, to determine which documents and files are sensitive, based on policies and rules stored in storage 186. The result of the inspection by introspective analyzer 175 is generation of user-by-user data and file-by-file data. After being generated, the user-by-user data and the file-by-file data is stored in metadata store 148. In one implementation, the user-by-user data and the file-by-file data is stored in a semi-structured data format like JSON, BSON (Binary JSON), XML, Protobuf, Avro, or Thrift object, which comprises fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, and objects.

Continuing further with the description of FIG. 1A, N-CASB 155 further includes monitor 184 that includes extraction engine 171, classification engine 172, security engine 173, management plane 174 and data plane 180. Also included in N-CASB 155, storage 186 includes content policies 187, content profiles 188, content inspection rules 189, enterprise data 197, information for clients 198 and user identities 199. Enterprise data 197 can include organizational data, including but not limited to, intellectual property, non-public financials, strategic plans, customer lists, personally identifiable information (PII) belonging to customers or employees, patient health data, source code, trade secrets, booking information, partner contracts, corporate plans, merger and acquisition documents and other confidential data. In particular, the term “enterprise data” refers to a document, a file, a folder, a webpage, a collection of webpages, an image, or any other text-based document. User identity refers to an indicator that is provided by the network security system to the client device, in the form of a token, a unique identifier such as a UUID, a public-key certificate, or the like. In some cases, the user identity can be linked to a specific user and a specific device; thus, the same individual can have a different user identity on their mobile phone vs. their computer. The user identity can be linked to an entry or userid corporate identity directory, but is distinct from it. In one implementation, a cryptographic certificate signed by the network security is used as the user identity. In other implementations, the user identity can be solely unique to the user and be identical across devices.

Embodiments can also interoperate with single sign-on (SSO) solutions and/or corporate identity directories, e.g. Microsoft's Active Directory. Such embodiments may allow policies to be defined in the directory, e.g. either at the group or user level, using custom attributes. Hosted services configured with the system are also configured to require traffic via the system. This can be done through setting IP range restrictions in the hosted service to the IP range of the system and/or integration between the system and SSO systems. For example, integration with a SSO solution can enforce client presence requirements before authorizing the sign-on. Other embodiments may use “proxy accounts” with the SaaS vendor—e.g. a dedicated account held by the system that holds the only credentials to sign in to the service. In other embodiments, the client may encrypt the sign on credentials before passing the login to the hosted service, meaning that the networking security system “owns” the password.

Storage 186 can store information from one or more tenants into tables of a common database image to form an on-demand database service (ODDS), which can be implemented in many ways, such as a multi-tenant database system (MTDS). A database image can include one or more database objects. In other implementations, the databases can be relational database management systems (RDBMSs), object oriented database management systems (OODBMSs), distributed file systems (DFS), no-schema database, or any other data storing systems or computing devices. In some implementations, the gathered metadata is processed and/or normalized. In some instances, metadata includes structured data and functionality targets specific data constructs provided by cloud services 108. Non-structured data, such as free text, can also be provided by, and targeted back to cloud services 108. Both structured and non-structured data are capable of being aggregated by introspective analyzer 175. For instance, the assembled metadata is stored in a semi-structured data format like a JSON (JavaScript Option Notation), BSON (Binary JSON), XML, Protobuf, Avro or Thrift object, which consists of string fields (or columns) and corresponding values of potentially different types like numbers, strings, arrays, objects, etc. JSON objects can be nested and the fields can be multi-valued, e.g., arrays, nested arrays, etc., in other implementations. These JSON objects are stored in a schema-less or NoSQL key-value metadata store 148 like Apache Cassandra™ 158, Google's BigTable™, HBase™, Voldemort™, CouchDB™, MongoDB™, Redis™, Riak™, Neo4j™, etc., which stores the parsed JSON objects using keyspaces that are equivalent to a database in SQL. Each keyspace is divided into column families that are similar to tables and comprise of rows and sets of columns.

In one implementation, introspective analyzer 175 includes a metadata parser (omitted to improve clarity) that analyzes incoming metadata and identifies keywords, events, user IDs, locations, demographics, file type, timestamps, and so forth within the data received. Parsing is the process of breaking up and analyzing a stream of text into keywords, or other meaningful elements called “targetable parameters”. In one implementation, a list of targeting parameters becomes input for further processing such as parsing or text mining, for instance, by a matching engine (not shown). Parsing extracts meaning from available metadata. In one implementation, tokenization operates as a first step of parsing to identify granular elements (e.g., tokens) within a stream of metadata, but parsing then goes on to use the context that the token is found in to determine the meaning and/or the kind of information being referenced. Because metadata analyzed by introspective analyzer 175 are not homogenous (e.g., there are many different sources in many different formats), certain implementations employ at least one metadata parser per cloud service, and in some cases more than one. In other implementations, introspective analyzer 175 uses monitor 184 to inspect the cloud services and assemble content metadata. In one use case, the identification of sensitive documents is based on prior inspection of the document. Users can manually tag documents as sensitive, and this manual tagging updates the document metadata in the cloud services. It is then possible to retrieve the document metadata from the cloud service using exposed APIs and use them as an indicator of sensitivity.

In the interconnection of the elements of system 100, network 145 couples computers 112 a-n, tablets 122 a-n, cell phones 132 a-n, cloud-based hosting service 118, web service 128, cloud-based storage service 138 and N-CASB 155 in communication. The communication path can be point-to-point over public and/or private networks. Communication can occur over a variety of networks, e.g. private networks, VPN, MPLS circuit, or Internet, and can use appropriate application program interfaces (APIs) and data interchange formats, e.g. REST, JSON, XML, SOAP and/or JMS. The communications can be encrypted. This communication is generally over a network such as the LAN (local area network), WAN (wide area network), telephone network (Public Switched Telephone Network (PSTN), Session Initiation Protocol (SIP), wireless network, point-to-point network, star network, token ring network, hub network, Internet, inclusive of the mobile Internet, via protocols such as EDGE, 3G, 4G LTE, Wi-Fi, and WiMAX. Additionally, a variety of authorization and authentication techniques, such as username/password, OAuth, Kerberos, SecureID, digital certificates, and more, can be used to secure the communications.

Further continuing with the description of the system architecture in FIG. 1A, N-CASB 155 includes monitor 184 and storage 186 which can include one or more computers and computer systems coupled in communication with one another. They can also be one or more virtual computing and/or storage resources. For example, monitor 184 can be one or more

Amazon EC2 instances and storage 186 can be Amazon S3™ storage. Other computing-as-service platforms such as Rackspace, Heroku or Force.com from Salesforce could be used rather than implementing N-CASB 155 on direct physical computers or traditional virtual machines. Additionally, one or more engines can be used and one or more points of presence (POPs) can be established to implement the security functions. The engines or system components of FIG. 1A are implemented by software running on varying types of computing devices. Example devices are a workstation, a server, a computing cluster, a blade server, and a server farm, or any other data processing system or computing device. The engine can be communicably coupled to the databases via a different network connection. For example, extraction engine 171 can be coupled via network(s) 145 (e.g., the Internet), classification engine 172 can be coupled via a direct network link and security engine 173 can be coupled by yet a different network connection. For the disclosed technology, the data plane 180 POPs is hosted on the client's premises or located in a virtual private network controlled by the client.

N-CASB 155 provides a variety of functions via a management plane 174 and a data plane 180. Data plane 180 includes an extraction engine 171, a classification engine 172, and a security engine 173, according to one implementation. Other functionalities, such as a control plane, can also be provided. These functions collectively provide a secure interface between cloud services 108 and organization network 102. Although we use the term “network security system” to describe N-CASB 155, more generally the system provides application visibility and control functions as well as security. In one example, thirty-five thousand cloud applications are resident in libraries that intersect with servers in use by computers 112 a-n, tablets 122 a-n and cell phones 132 a-n in organization network 102.

Computers 112 a-n, tablets 122 a-n and cell phones 132 a-n in organization network 102 include management clients with a web browser with a secure web-delivered interface provided by N-CASB 155 to define and administer content policies 187, according to one implementation. N-CASB 155 is a multi-tenant system, so a user of a management client can only change content policies 187 associated with their organization, according to some implementations. In some implementations, APIs can be provided for programmatically defining and or updating policies. In such implementations, management clients can include one or more servers, e.g. a corporate identities directory such as a Microsoft Active Directory, pushing updates, and/or responding to pull requests for updates to the content policies 187. Both systems can coexist; for example, some companies may use a corporate identities directory to automate identification of users within the organization while using a web interface for tailoring policies to their needs. Management clients are assigned roles and access to the N-CASB 155 data is controlled based on roles, e.g. read-only vs. read-write.

In addition to periodically generating the user-by-user data and the file-by-file data and persisting it in metadata store 148, active analyzer 165 and introspective analyzer 175 also enforce security policies on the cloud traffic. For further information regarding the functionality of active analyzer 165 and introspective analyzer 175, reference can be made to, for example, commonly owned U.S. Pat. No. 9,398,102 (NSKO 1000-2); U.S. Pat. No. 9,270,765 (NSKO 1000-3); U.S. Pat. No. 9,928,377 (NSKO 1001-2); U.S. Pat. No. 10,114,966 (NSKO 1002-1) and U.S. patent application Ser. No. 15/368,246 (NSKO 1003-3); Cheng, Ithal, Narayanaswamy, and Malmskog Cloud Security For Dummies, Netskope Special Edition, John Wiley & Sons, Inc. 2015; “Netskope Introspection” by Netskope, Inc.; “Data Loss Prevention and Monitoring in the Cloud” by Netskope, Inc.; “Cloud Data Loss Prevention Reference Architecture” by Netskope, Inc.; “The 5 Steps to Cloud Confidence” by Netskope, Inc.; “The Netskope Active Platform” by Netskope, Inc.; “The Netskope Advantage: Three “Must-Have” Requirements for Cloud Access Security Brokers” by Netskope, Inc.; “The 15 Critical CASB Use Cases” by Netskope, Inc.; “Netskope Active Cloud DLP” by Netskope, Inc.; “Repave the Cloud-Data Breach Collision Course” by Netskope, Inc.; and “Netskope Cloud Confidence Index™” by Netskope, Inc., which are incorporated by reference for all purposes as if fully set forth herein.

For system 100, a control plane may be used along with or instead of management plane 174 and data plane 180. The specific division of functionality between these groups is an implementation choice. Similarly, the functionality can be highly distributed across a number of points of presence (POPs) to improve locality, performance, and/or security. In one implementation, the data plane is on premises or on a virtual private network and the management plane of the network security system is located in cloud services or with corporate networks, as described herein. For another secure network implementation, the POPs can be distributed differently.

While system 100 is described herein with reference to particular blocks, it is to be understood that the blocks are defined for convenience of description and are not intended to require a particular physical arrangement of component parts. Further, the blocks need not correspond to physically distinct components. To the extent that physically distinct components are used, connections between components can be wired and/or wireless as desired. The different elements or components can be combined into single software modules and multiple software modules can run on the same hardware.

Moreover, this technology can be implemented using two or more separate and distinct computer-implemented systems that cooperate and communicate with one another. This technology can be implemented in numerous ways, including as a process, a method, an apparatus, a system, a device, a computer readable medium such as a computer readable storage medium that stores computer readable instructions or computer program code, or as a computer program product comprising a computer usable medium having a computer readable program code embodied therein. The technology disclosed can be implemented in the context of any computer-implemented system including a database system or a relational database implementation like an Oracle™ compatible database implementation, an IBM DB2 Enterprise Server™ compatible relational database implementation, a MySQL™ or PostgreSQL™ compatible relational database implementation or a Microsoft SQL Server™ compatible relational database implementation or a NoSQL non-relational database implementation such as a Vampire™ compatible non-relational database implementation, an Apache Cassandra™ compatible non-relational database implementation, a BigTable™ compatible non-relational database implementation or an HBase™ or DynamoDB™ compatible non-relational database implementation. In addition, the technology disclosed can be implemented using different programming models like MapReduce™, bulk synchronous programming, MPI primitives, etc. or different scalable batch and stream management systems like Amazon Web Services (AWS)™, including Amazon Elasticsearch Service™ and Amazon Kinesis™, Apache Storm™, Apache Spark™, Apache Kafka™, Apache Flink™, Truviso™, IBM Info-Sphere™, Borealis™ and Yahoo! S4™.

N-CASB 155 generates logging information that shows sensitive data, including raw event data, with information gleaned from every cloud application transaction passing through the system. Mining of the event data can thus accomplish several key tasks: identify content-based functions and activities such as creating content, uploading content, posting content, and editing content; identify non-content-based functions and activities such as inviting users to access content, share content, and view content; and establish a baseline usage behavior based on criteria such as: user, user groups, cloud service, cloud service groups, time of day, day of week, geo-location, bandwidth usage, and latency observed. Once the baseline usage behavior is established, anomalous activities are those that do not fit the observed baseline and could be flagged for administrators to review and take action. Example anomalous activities include: user accesses from geo-locations and/or times that do not fit the baseline and bandwidth usage by a user being very high, e.g. over two standard deviations compared to measured baseline. Notably, the rules are sensitive to roles, e.g. a user in a custom-defined sales group may be afforded greater latitude to be in a geo-location identified as non-standard than an employee outside that group. In some implementations, some anomalous activities may also be conditions to policies for which companies define specific actions, such as ‘blocking for excessive transfer’ until an administrator approves it or ‘revoking sharing on a shared folder in cloud storage’. Identified anomalous activities are indicators usable by an administrator who identifies a list of users who are under investigation, in one use case.

FIG. 1B shows a block diagram for incident-driven and user-targeted data loss prevention, with N-CASB 155 with incident indicator 157, location inspector 163 and data exposure calculator 164 and a user interface 152 usable by a security admin to interact with the network security system, via user interface screens described later in this application. An incident is an event that may indicate that an organization's systems or data have been compromised, such as an attempt to “edit in Box” from Google Docs, “save to Dropbox” from Slack, or “open in Microsoft Word Online” from Microsoft Office 365 OneDrive. Additional incident examples include attempts to download a confidential document from a corporate-sanctioned Box or AWS instance to a personal Dropbox account, and downloading personally-identifiable information (PII) from any HR app if the user is outside the HR team. Incident indicator 157 identifies the cloud-based services to which a user has access and location inspector 163 identifies the document location on the cloud-based services to inspect for sensitive documents. N-CASB 155 performs deep inspection of the identified documents at the cloud-based services and document location and detects sensitive documents. Deep inspection includes the use of APIs provided by cloud-based apps, such as Box and OneDrive, that enable the discovery of specific resources. One API is for discovering information for all folders and files used by each user in the organization. Another API enables the discovery of file level details, including creation date and time, modified time and shared users. Other cloud-based services apps with structured data, such as for Salesforce expose a schema that N-CASB 155 utilizes to build the metadata store to be used by the deep introspection services.

Continuing with the description of FIG. 1B, in one case N-CASB 155 utilizes user-by-user data and the file-by-file data persisted in metadata store 148 for detecting transmission of sensitive documents, based on examination of activity logs previously generated, without needing to perform the content sensitivity scan. In that case, the sensitivity metadata is generated in advance of receiving the indication, from in-transit inspection of document deposit to, retrieval from, and sharing via the cloud-based services and at-rest introspection of the sensitive documents resident in the cloud-based services.

Data exposure calculator 164 counts the number of detected sensitive documents, and associates counts with the date that the detected documents were transmitted out of the cloud-based services from the document location. The counts are usable for detecting regulatory violations. Data exposure calculator 164 also determines data compromise for an organization due to the continued access of a user after they have left the organization. Data exposure calculator 164 additionally determines litigation exposure for an organization based on detecting contaminating content, accessible to a new user post-joining, on cloud-based services and at a document location that the user gained access to post-joining.

FIGS. 2 and 3 show various log examples of user-by-user data and file-by-file data regarding interaction of an organization's users with one or more cloud-based services. FIG. 2 is an exemplary event log entry 205 in a JSON-style representation. Event log entry 205 is not exhaustive of the fields that are logged, but rather highlights key fields. Additionally, event logs from external sources can also be provided to N-CASB 155. In the example log listed in FIG. 2 entry 202 identifies a file object using a file object identifier (“id”), entry 212 identifies Dropbox™ as the cloud-based service on which the file object is stored, entry 222 identifies a user identifier (“User Id”) of a user who interacted with the file object, entry 252 identifies Rama Rao as the name of the user (“User Name”), entry 262 identifies an IP address associated with a user endpoint used by the user to interact with the file object (“urip”), entry 272 identifies a .txt file type of the file object (“oid”), entry 282 identifies the activity performed by the user as share (“act”), entry 276 identifies an iOS operating system running on the user endpoint (“os”), and entry 286 identifies a source location of the user endpoint (“slc”). As shown in FIG. 2, the user-by-user data and the file-by-file data can include additional entries as well.

In FIG. 3, log 302 contains user-by-user data and file-by-file data that identify user file sharing behavior. For example, the log 302 identifies a file object (“id”), a cloud-based service on which the file object resides as “appname”: Box 308, a username of a user who interacted with the file object as “ghostking” 306, whether the user is an admin (“isAdmin”), when the user last logged in (“lastLoginTime”), and a user identifier of the user (“uid”). As shown in log 312, also a Box app entry, the user-by-user data and the file-by-file data can identify additional user file sharing behavior. In this example, logs 302 and 312 identify user file sharing behavior of two users, each identified by their email address. Logs 322, 352, 362 and 372 contain user-by-user data and file-by-file data that identify different key-value pairs representing various user and file characteristics. In some implementations, logs 322, 352, 362 and 372 apply to four distinct file objects. In some implementations of the disclosed technology, data exposure is determined based on whether the detected sensitive documents were transmitted out of at least one of the cloud-based services from the identified document location on or after a date of interest. Date information can provide definitive evidence of a security breach, as opposed to a potential for breach. Section 13402(e)(4) of the HITECH Act states breaches of unsecured protected health information affecting 500 or more individuals must be reported and posted by the department of Health and Human Services (HHS).

Log data is utilized by Netskope cloud access security broker 155 for determining data exposure for the organization due to the compromised credentials of a particular user. Example reasons that credentials are determined to be compromised include the scenario in which documents were uploaded to an unsanctioned cloud service, or downloaded or shared, in conflict with the defined privacy settings for the documents. Compromised credentials are stored independently in metadata store 148. In one example, for a credential that has been compromised in an organization, disclosed N-CASB 155 looks in the email client outlook.com for the compromised credential, which is typically the person's email address, and scans the user's email to determine whether and what kind of sensitive data exists in the user's email folders, including their inbox, outbox drafts and other folders. Sensitive data in the user's folders has been exposed, because the user's credential has been compromised. In another example, N-CASB 155 identifies the users who have permission to connect to Box, and for each user lists the folders accessible to that user, including any folders that are shared with multiple people.

If logs, which include a list of sensitive documents in the folder and details of activities performed relative to those documents, are already available from introspection, N-CASB 155 parses the logs that have been indexed and stored as part of introspection and performs introspection for any data that has not been indexed.

Policy-wise the next step after detecting the presence of sensitive documents for a user with compromised credentials can be to check whether there are any downloads of that sensitive document by the user. In one use case, if an organization identifies a specific sensitive document, the disclosed technology enables the deep inspection of documents stored in all of the folders for the specific user with compromised credentials, to detect the specific sensitive document, if present.

General Data Protection Regulation (GDPR) on data protection and privacy for individuals within the European Union (EU) and the European Economic Area (EEA) defines violations for sharing private information. Health Insurance Portability and Accountability Act (HIPAA) defines data privacy and security provisions for safeguarding medical information, the Social Security Number Confidentiality Act defines social security number protections, and Payment Card Industry Data Security Standard PCI-DSS define requirements for reporting information leaks. For the disclosed method, the data exposure is determined based on a count of the detected sensitive documents in one implementation. For example, healthcare organizations need to determine the count of sensitive documents that contain public health information (PHI) data in the folders of outlook.com for a user. If the count of sensitive documents that contain PHI data exceeds a certain number of records, the organization must report the sensitive document count to the office of Health and Human Services for regulatory reasons. In other examples, sensitive documents include GDPR and PII data. N-CASB 155 measures regulatory compliance based on the count of the detected sensitive documents and detects regulatory violations and flags the regulatory violations for reporting to a regulatory authority.

FIG. 4 and FIG. 5 show example folder structures for two cloud-based apps. FIG. 4 shows folders 442 for an Outlook online application, for drafts, sent items, deleted items, junk email, outbox, RSS subscriptions and search folders. FIG. 5 shows a set of shared folders in cloud-based app Box.

FIG. 6 illustrates one implementation of a visibility dashboard 600 that provides visibility of enterprise information stored on a cloud computing service (CCS). In one implementation, incident indicator 157 identifies incidents for cloud-based applications 652 and determines a plurality of metadata associated with the objects, as discussed supra. Further, the assembled metadata is depicted using the visibility dashboard 600 that generates a graphical summary of the number of incidents by application 674 and number of malware incidents in particular.

Netskope cloud access security broker 155 reports detected sensitive documents and data exposure details for users with compromised credentials. FIG. 7A through FIG. 7E show aspects of a visibility dashboard usable for displaying data exposure details due to the compromised credentials of a particular user based on the detected sensitive documents, for an organization. FIG. 7A shows a display 700 of the compromised credentials for incidents for 15 users 714 on a visibility dashboard. In this example, a webhost customer data breach 766, a Dropbox data breach 776 and a linkedIn credential dump 786 are included in the report of compromised credentials for the user, who has be obfuscated for the screenshot. FIG. 7B shows violations 742 and file exposure 746 for a single user 732.

Continuing with examples of data disclosure details, FIG. 7C shows visibility dashboard results for Dropbox 722 for a single user 755 who owns the files. Various file types are included: documents, folders, text files, presentations and video 748. In this example, only the presentations have been externally shared 778. In another use case example, the Dropbox file types can include images, css and confidential folders. FIG. 7D shows, for a single user being investigated for compromised credentials, the relationship between the number of files that are private; public and internally shared, as well as the number and types of violations. FIG. 7D includes graphs of file exposure 762 and violations 765 that include GDPR data and the number of files with DLP-PII data. The file types 766 including documents, folders, spreadsheets presentations and images. FIG. 7E shows an example set of data reported by Netskope cloud access security broker 155 for a Cisco Spark web interface 724 for a single user 764. Policy hits 784 are reported along with the respective timestamps.

The visibility dashboard offers an interface for selecting traffic type and types of activities relative to sensitive files, such as downloads and uploads; and can include additional attributes such as access method, device classification, operating system, browser, file type, user type, source network, source countries, destination countries and file size, in some implementations. In one example, a filter can be set to report incidents for the last 24 hours, last 7 days, last 30 days, last 90 days, last week, or last month. Available actions for detected violations for files, associated with a particular user with compromised credentials, determined to contain sensitive documents include the following configurable options: alert, allow, multi-factor authentication, block, user alert, idle timeout, quarantine, encrypt and bypass actions.

In one use case, a report of sensitive documents can reflect documents from a competitor company accessed by a recently-hired employee using the hiring company's email, Box, Dropbox, web browsers or other access points.

Workflow

FIG. 8 shows a representative method of incident-driven and user-targeted data loss prevention for detecting data exposure. Flowchart 800 can be implemented at least partially with a computer or other data processing system; that is, by one or more processors configured to receive or retrieve information, process the information, store results, and transmit the results. Other implementations may perform the actions in different orders and/or with different, fewer or additional actions than those illustrated in FIG. 8. Multiple actions can be combined in some implementations. For convenience, this flowchart is described with reference to a system which includes a cloud access security broker (CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents.

The method described in this section and other sections of the technology disclosed can include one or more of the following features and/or features described in connection with additional methods disclosed. In the interest of conciseness, the combinations of features disclosed in this application are not individually enumerated and are not repeated with each base set of features.

FIG. 8 begins with action 815 in which N-CASB 155 receives an indicator that credentials of a particular user have been compromised.

Process 800 continues at action 825 with N-CASB 155 identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents.

Action 835 includes N-CASB 155 performing deep inspection of documents stored at the identified document location and detecting at least some sensitive documents.

At action 845, N-CASB 155 determines a data exposure for the organization due to the compromised credentials of the particular one of the users, based on the detected sensitive documents.

FIG. 9 shows a representative method for controlling infiltration of contaminating content on cloud-based services in use by users of an organization by monitoring content deposit to the cloud-based services. Flowchart 900 can be implemented at least partially with a computer or other data processing system; that is, by one or more processors configured to receive or retrieve information, process the information, store results, and transmit the results. Other implementations may perform the actions in different orders and/or with different, fewer or additional actions than those illustrated in FIG. 9. Multiple actions can be combined in some implementations. For convenience, this flowchart is described with reference to the system that carries out a method. The system is not necessarily part of the method.

FIG. 9 begins with action 915, in which N-CASB 155 receives an indicator that a new user has joined the organization.

Process 900 continues at action 925 with N-CASB 155 identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents.

Action 935 includes N-CASB 155 performing deep inspection of documents stored at the identified document location and detecting at least some contaminating content.

At action 945, N-CASB 155 determines a litigation exposure for the organization due to the access of the new user post-joining.

FIG. 10 shows a representative method for incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan. Flowchart 1000 can be implemented at least partially with a computer or other data processing system; that is, by one or more processors configured to receive or retrieve information, process the information, store results, and transmit the results.

FIG. 10 begins with action 1015, in which N-CASB 155 receives an indication that credentials of a particular user have been compromised.

Process 1000 continues at action 1025 with N-CASB 155 identifying one or more of the cloud-based services that the user has access to and at least one document location on the cloud-based services to inspect for sensitive documents.

Action 1035 includes N-CASB 155 detecting at least some sensitive documents identified as stored at the document location based on examining sensitivity metadata retrieved for the sensitive documents from a cloud-based metadata store. The sensitivity metadata is previously generated, in advance of receiving the indication, from in-transit inspection of document deposit to, retrieval from, and sharing via the at least one of the cloud-based services and at-rest introspection of the sensitive documents resident in the at least one of the cloud-based services.

At action 1045, N-CASB 155 determines a data exposure for the organization due to the compromised credentials of the particular user.

Other implementations may perform the actions in different orders and/or with different, fewer or additional actions than those illustrated in FIG. 10. Multiple actions can be combined in some implementations. For convenience, this flowchart is described with reference to a system which includes a CASB controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents. For convenience, this flowchart is described with reference to the system that carries out a method. The system is not necessarily part of the method.

FIG. 12 shows a representative method for request-driven and user-targeted data loss prevention. Flowchart 1200 can be implemented at least partially with a computer or other data processing system; that is, by one or more processors configured to receive or retrieve information, process the information, store results, and transmit the results.

FIG. 12 begins with action 1215, in which N-CASB 155 receives a right to be forgotten request from a particular consumer.

Process 1200 continues at action 1225 with N-CASB 155 identifying one or more locations on one or more cloud-based services at which consumer data for the particular consumer is stored.

Action 1235 includes N-CASB 155 performing deep inspection of the consumer data stored at the identified locations and detecting at least some sensitive data in the consumer data.

At action 1245, N-CASB 155 fulfills the right to be forgotten request by removing the detected sensitive data from the cloud-based services determines a data exposure for the organization due to the compromised credentials of the particular user, and optional providing the detected sensitive data to the particular consumer.

Other implementations may perform the actions in different orders and/or with different, fewer or additional actions than those illustrated in FIG. 12. Multiple actions can be combined in some implementations. For convenience, this flowchart is described with reference to a system which includes a CASB controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents. For convenience, this flowchart is described with reference to the system that carries out a method. The system is not necessarily part of the method.

Computer System

FIG. 11 is a simplified block diagram of a computer system 1100 that can be used to implement incident-driven and user-targeted data loss prevention. Computer system 1100 includes at least one central processing unit (CPU) 1172 that communicates with a number of peripheral devices via bus subsystem 1155. These peripheral devices can include a storage subsystem 1110 including, for example, memory devices and a file storage subsystem 1136, user interface input devices 1138, user interface output devices 1176, and a network interface subsystem 1174. The input and output devices allow user interaction with computer system 1100. Network interface subsystem 1174 provides an interface to outside networks, including an interface to corresponding interface devices in other computer systems.

In one implementation, the cloud-based network security system (NSS) 135 of FIG. 1 is communicably linked to the storage subsystem 1110 and the user interface input devices 1138.

User interface input devices 1138 can include a keyboard; pointing devices such as a mouse, trackball, touchpad, or graphics tablet; a scanner; a touch screen incorporated into the display; audio input devices such as voice recognition systems and microphones; and other types of input devices. In general, use of the term “input device” is intended to include all possible types of devices and ways to input information into computer system 1100.

User interface output devices 1176 can include a display subsystem, a printer, a fax machine, or non-visual displays such as audio output devices. The display subsystem can include an LED display, a cathode ray tube (CRT), a flat-panel device such as a liquid crystal display (LCD), a projection device, or some other mechanism for creating a visible image. The display subsystem can also provide a non-visual display such as audio output devices. In general, use of the term “output device” is intended to include all possible types of devices and ways to output information from computer system 1100 to the user or to another machine or computer system.

Storage subsystem 1110 stores programming and data constructs that provide the functionality of some or all of the modules and methods described herein. Subsystem 1178 can be graphics processing units (GPUs) or field-programmable gate arrays (FPGAs).

Memory subsystem 1122 used in the storage subsystem 1110 can include a number of memories including a main random access memory (RAM) 1132 for storage of instructions and data during program execution and a read only memory (ROM) 1134 in which fixed instructions are stored. A file storage subsystem 1136 can provide persistent storage for program and data files, and can include a hard disk drive, a floppy disk drive along with associated removable media, a CD-ROM drive, an optical drive, or removable media cartridges. The modules implementing the functionality of certain implementations can be stored by file storage subsystem 1136 in the storage subsystem 1110, or in other machines accessible by the processor.

Bus subsystem 1155 provides a mechanism for letting the various components and subsystems of computer system 1100 communicate with each other as intended. Although bus subsystem 1155 is shown schematically as a single bus, alternative implementations of the bus subsystem can use multiple busses.

Computer system 1100 itself can be of varying types including a personal computer, a portable computer, a workstation, a computer terminal, a network computer, a television, a mainframe, a server farm, a widely-distributed set of loosely networked computers, or any other data processing system or user device. Due to the ever-changing nature of computers and networks, the description of computer system 1100 depicted in FIG. 11 is intended only as a specific example for purposes of illustrating the preferred embodiments of the present disclosed technology. Many other configurations of computer system 1100 are possible having more or less components than the computer system depicted in FIG. 11.

Particular Implementations

Some particular implementations and features for incident-driven and user-targeted data loss prevention are described in the following discussion.

In one disclosed implementation, tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention includes a cloud access security broker (CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents. The method includes, in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents. Additionally included in the method is the CASB performing deep inspection of documents stored at the document location and detecting at least some sensitive documents, and based on the detected sensitive documents, the CASB determining a data exposure for the organization due to the compromised credentials of the particular one of the users.

The method described in this section and other sections of the technology disclosed can include one or more of the following features and/or features described in connection with additional methods disclosed. In the interest of conciseness, the combinations of features disclosed in this application are not individually enumerated and are not repeated with each base set of features. The reader will understand how features identified in this method can readily be combined with sets of base features identified as implementations.

For some implementations, tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement the disclosed method wherein the compromised credentials are single sign-on authentication credentials for accessing the one or more of the cloud-based services. In one implementation of the disclosed technology, the data exposure is determined based on a count of the detected sensitive documents. Some implementations further include the CASB measuring regulatory compliance based on the count of the detected sensitive documents and detecting regulatory violations, and flagging the regulatory violations for reporting to a regulatory authority.

For one implementation, tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement the disclosed method wherein compromise of the documents subject to the data exposure is determined based on determination by the CASB that the detected sensitive documents were transmitted out of the at least one of the cloud-based services from the identified document location on or after a date of interest. In some implementations, the date of interest is at least one of when the credentials were compromised and when the exit occurred. In some implementations, the transmission is detected based on examination of activity logs previously generated, in advance of receiving the indication, from document deposit to, retrieval from, and sharing via the at least one of the cloud-based services.

In one implementation of the disclosed technology, at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder. Cloud-hosted email service can be accessed via web browser or other apps that may use protocols different from http(s). In another implementation, at least one of the cloud-based services is a cloud storage service and the identified document location is at least one of user folder and group folder.

Some implementations of the disclosed technology further include, in response to receiving an indication that a particular one of the users has exited the organization, the CASB identifying at least one document location on at least one of the cloud-based services that the particular one of the users continued to have access to post-exit. Also further included is the CASB performing deep inspection of documents stored at the identified document location and detecting at least some sensitive documents, and based on the detected sensitive documents, the CASB determining a data compromise for the organization due to the continued access of the particular one of the users post-exit. Some implementations of the disclosed technology further include, in response to detecting the at least some sensitive documents, triggering a security action, wherein the security action is encrypting the sensitive documents with a key not accessible via the compromised credential.

In one implementation of the disclosed technology, tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention that includes a CAS) controlling infiltration of contaminating content on cloud-based services in use by users of an organization by monitoring content deposit to the cloud-based services. In response to receiving an indication that a new user has joined the organization, the CASB identifies one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services that the new user gained access to post-joining, to inspect for sensitive documents. The CASB performs deep inspection of content stored at the identified document location and detecting at least some contaminating content, and based on the detected contaminating content, the CASB determines a litigation exposure for the organization due to the access of the new user post-joining.

In some disclosed implementations of the disclosed technology, tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan. The method includes a CASB controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents. The method also includes, in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents. The disclosed method further includes the CASB detecting at least some sensitive documents stored at the identified document location based on examining sensitivity metadata retrieved for the sensitive documents from a cloud-based metadata store, wherein the sensitivity metadata is previously generated, in advance of receiving the indication, from in-transit inspection of document deposit to, retrieval from, and sharing via the at least one of the cloud-based services and at-rest introspection of the sensitive documents resident in the at least one of the cloud-based services. The method additionally includes, based on the detected sensitive documents, the CASB determining a data exposure for the organization due to the compromised credentials of the particular one of the users.

One disclosed implementation of the disclosed technology includes tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of request-driven and user-targeted data loss prevention that includes a cloud access security broker (CASB) controlling exfiltration of consumer data stored on cloud-based services by a service provider. The method includes, in response to receiving a right to be forgotten request from a particular consumer, the CASB identifying one or more locations on one or more of the cloud-based services at which consumer data for the particular consumer is stored, and the CASB performing deep inspection of the consumer data stored at the identified locations and detecting at least some sensitive data in the consumer data. The disclosed method also includes the CASB fulfilling the right to be forgotten request by removing the detected sensitive data from the cloud-based services. For some implementations, the method further includes, in addition to removing the detected sensitive data from the cloud-based services, the CASB providing the detected sensitive data to the particular consumer.

The sensitive data in the consumer data can be personal data, that is, any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This includes personal identifiers such as name, identification number, location data and/or online identifier. The sensitive data in the consumer data can be personally identifiable information (PII) that can potentially identify a specific individual. Removing the detected sensitive data can included erasing any information directly or indirectly identified as related to an identifiable person. Other implementations of the disclosed technology described in this section can include a computer-implemented method that includes executing on a processor the program instructions from the non-transitory computer readable storage media to perform any of the methods described above. Yet another implementation of the disclosed technology described in this section can include a system including memory and one or more processors operable to execute computer instructions, stored in the memory, to perform any of the methods described above. The preceding description is presented to enable the making and use of the technology disclosed. Various modifications to the disclosed implementations will be apparent, and the general principles defined herein may be applied to other implementations and applications without departing from the spirit and scope of the technology disclosed. Thus, the technology disclosed is not intended to be limited to the implementations shown, but is to be accorded the widest scope consistent with the principles and features disclosed herein. The scope of the technology disclosed is defined by the appended claims.

Clauses

Clause 1. A tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of request-driven and user-targeted data loss prevention, the method including:

-   a cloud access security broker (abbreviated CASB) controlling     exfiltration of consumer data stored on cloud-based services by a     service provider; -   in response to receiving a right to be forgotten request from a     particular consumer, the CASB identifying one or more locations on     one or more of the cloud-based services at which consumer data for     the particular consumer is stored; -   the CASB performing deep inspection of the consumer data stored at     the identified locations and detecting at least some sensitive data     in the consumer data; and -   the CASB fulfilling the right to be forgotten request by removing     the detected sensitive data from the cloud-based services.

Clause 2. The tangible non-transitory computer readable storage media of clause 1, further including program instructions that, when executed on processors, cause the processors to implement the method including: in addition to removing the detected sensitive data from the cloud-based services, the CASB providing the detected sensitive data to the particular consumer.

Clause 3. A computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media of clause 2.

Clause 4. A system for incident-driven and user-targeted data loss prevention, the system including a processor, memory coupled to the processor, and computer instructions from the non-transitory computer readable storage media of clause 2 loaded into the memory. 

What is claimed is:
 1. A tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention, the method including: a cloud access security broker (abbreviated CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents; in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents; the CASB performing deep inspection of documents identified as stored at the document location and detecting at least some sensitive documents; and based on the detected sensitive documents, the CASB determining a data exposure for the organization due to the compromised credentials of the particular one of the users.
 2. The tangible non-transitory computer readable storage media of claim 1, wherein the compromised credentials include a single sign-on (abbreviated SSO) authentication for accessing the one or more of the cloud-based services.
 3. The tangible non-transitory computer readable storage media of claim 1, wherein the data exposure is determined based on a count of the detected sensitive documents.
 4. The tangible non-transitory computer readable storage media of claim 3, further including program instructions that, when executed on processors, cause the processors to implement the method including: the CASB measuring regulatory compliance based on the count of the detected sensitive documents and detecting regulatory violations; and flagging the regulatory violations for reporting to a regulatory authority.
 5. The tangible non-transitory computer readable storage media of claim 1, wherein compromise of the documents subject to the data exposure is determined based on determination by the CASB that the detected sensitive documents were transmitted out of the at least one of the cloud-based services from the identified document location on or after a date of interest.
 6. The non-transitory computer readable storage media of claim 5, wherein the transmission is detected based on examination of activity logs previously generated, in advance of receiving the indication, from document deposit to, retrieval from, and sharing via the at least one of the cloud-based services.
 7. The non-transitory computer readable storage media of claim 5, wherein the at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder.
 8. The non-transitory computer readable storage media of claim 1, further including program instructions that, when executed on processors, cause the processors to implement the method including: in response to receiving an indication that a particular one of the users has exited the organization, the CASB identifying at least one document location on at least one of the cloud-based services that the particular one of the users continued to have access to post-exit; the CASB performing deep inspection of documents stored at the identified document location and detecting at least some sensitive documents; and based on the detected sensitive documents, the CASB determining a data compromise for the organization due to the continued access of the particular one of the users post-exit.
 9. The non-transitory computer readable storage media of claim 8, wherein date of interest is at least one of when the credentials were compromised and when the exit occurred.
 10. The non-transitory computer readable storage media of claim 1, further including program instructions that, when executed on processors, cause the processors to implement the method including: in response to detecting the at least some sensitive documents, triggering a security action, wherein the security action is encrypting the sensitive documents with a key not accessible via the compromised credential.
 11. A tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention, the method including: a cloud access security broker (abbreviated CASB) controlling infiltration of contaminating content on cloud-based services in use by users of an organization by monitoring content deposited to the cloud-based services; in response to receiving an indication that a new user has joined the organization, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services that the new user gained access to post-joining, to inspect for sensitive documents; the CASB performing deep inspection of content stored at the identified document location and detecting at least some contaminating content; and based on the detected contaminating content, the CASB determining a litigation exposure for the organization due to the access of the new user post-joining.
 12. The non-transitory computer readable storage media of claim 11, wherein the at least one of the cloud-based services is a cloud-hosted email service and the identified document location is at least one of inbox folder, sent folder, outbox folder, drafts folder, and deleted folder.
 13. The non-transitory computer readable storage media of claim 11, wherein the at least one of the cloud-based services is a cloud storage service and the identified document location is at least one of user folder and group folder.
 14. A tangible non-transitory computer readable storage media, including program instructions loaded into memory that, when executed on processors, cause the processors to implement a method of incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan, the method including: a cloud access security broker (abbreviated CASB) controlling exfiltration of sensitive content in documents stored on cloud-based services in use by users of an organization by monitoring manipulation of the documents; in response to receiving an indication that credentials of a particular one of the users have been compromised, the CASB identifying one or more of the cloud-based services that the particular one of the users has access to and at least one document location on the cloud-based services to inspect for sensitive documents; the CASB detecting at least some sensitive documents identified as stored at the document location based on examining sensitivity metadata retrieved for the sensitive documents from a cloud-based metadata store; wherein the sensitivity metadata is previously generated, in advance of receiving the indication, from in-transit inspection of document deposit to, retrieval from, and sharing via the at least one of the cloud-based services and at-rest introspection of the sensitive documents resident in the at least one of the cloud-based services; and based on the detected sensitive documents, the CASB determining a data exposure for the organization due to the compromised credentials of the particular one of the users.
 15. A computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media of claim
 1. 16. A computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media of claim
 11. 17. A computer-implemented method including executing on a processor the program instructions from the non-transitory computer readable storage media of claim
 14. 18. A system for incident-driven and user-targeted data loss prevention, the system including a processor, memory coupled to the processor, and computer instructions from the non-transitory computer readable storage media of claim 1 loaded into the memory.
 19. A system for incident-driven and user-targeted data loss prevention, the system including a processor, memory coupled to the processor, and computer instructions loaded into the memory that, when executed, cause the processor to implement the method of claim
 11. 20. A system for incident-driven and user-targeted data loss prevention without needing to perform content sensitivity scan, the system including a processor, memory coupled to the processor, and computer instructions loaded into the memory that, when executed, cause the processor to implement the method of claim
 14. 